229 lines
		
	
	
	
		
			7.3 KiB
		
	
	
	
		
			Nix
		
	
	
	
	
	
			
		
		
	
	
			229 lines
		
	
	
	
		
			7.3 KiB
		
	
	
	
		
			Nix
		
	
	
	
	
	
| { lib, pkgs, ... }:
 | |
| let
 | |
|   inherit (builtins) readFile;
 | |
| in
 | |
| {
 | |
|   _class = "clan.service";
 | |
| 
 | |
|   manifest = {
 | |
|     name = "amarth-services/k3s";
 | |
|     description = "K3s service in order to set up a cluster";
 | |
|     categories = [ "System" "Network" "Containers" "Virtualisation" ];
 | |
|     readme = readFile ./README.md;
 | |
|   };
 | |
| 
 | |
|   #==============================================================================================================
 | |
|   # Server configuration
 | |
|   #==============================================================================================================
 | |
|   roles.server = {
 | |
|     interface = { lib, ... }:
 | |
|     let
 | |
|       inherit (lib) mkOption mkEnableOption mkIf types toString;
 | |
|     in
 | |
|     {
 | |
|       options = {
 | |
|         port = mkOption {
 | |
|           type = types.port;
 | |
|           default = 6443;
 | |
|           example = "6443";
 | |
|           description = ''
 | |
|             Temporary option till I figure out something useful
 | |
|           '';
 | |
|         };
 | |
| 
 | |
|         harbor.enable = mkEnableOption "Enable Harbor - container registry";
 | |
|         crossplane.enable = mkEnableOption "Enable Crossplane - control plane";
 | |
| 
 | |
|         crossplane.resources.composite = mkOption {
 | |
|           type = with types; listOf (either path attrs);
 | |
|           default = [];
 | |
|           example = lib.literalExpression ''
 | |
|             [
 | |
|               ../manifests/my-composite-resource.yml
 | |
|               {
 | |
|                 apiVersion = "v1";
 | |
|                 kind = "CompositeResourceDefinition";
 | |
|                 metadata = {
 | |
|                   name = "app-service";
 | |
|                 };
 | |
|                 spec = {
 | |
|                   selector = {
 | |
|                     "app.kubernetes.io/name" = "MyApp";
 | |
|                   };
 | |
|                   ports = [
 | |
|                     {
 | |
|                       name = "name-of-service-port";
 | |
|                       protocol = "TCP";
 | |
|                       port = 80;
 | |
|                       targetPort = "http-web-svc";
 | |
|                     }
 | |
|                   ];
 | |
|                 };
 | |
|               }
 | |
|             ];
 | |
|           '';
 | |
|           description = ''
 | |
|             Temporary option till I figure out something useful
 | |
|           '';
 | |
|         };
 | |
|       };
 | |
|     };
 | |
| 
 | |
|     perInstance = { instanceName, settings, machine, roles, ... }: {
 | |
|       nixosModule = { config, pkgs, lib, ... }: 
 | |
|       let
 | |
|         inherit (lib) mkOption mkEnableOption mkIf types toString;
 | |
|       in
 | |
|       {
 | |
|         environment.systemPackages = with pkgs; [ k9s linkerd ];
 | |
| 
 | |
|         clan.core.vars.generators.k3s = {
 | |
|           share = false;
 | |
|           files = {
 | |
|             ip_v6 = {
 | |
|               deploy = false;
 | |
|               secret = false;
 | |
|             };
 | |
|             ip_v4 = {
 | |
|               deploy = false;
 | |
|               secret = false;
 | |
|             };
 | |
|             token = {
 | |
|               deploy = true;
 | |
|               secret = true;
 | |
|             };
 | |
|           };
 | |
|           runtimeInputs = with pkgs; [ pwgen ];
 | |
|           script = ''
 | |
|             echo "::1" > "$out/ip_v6"
 | |
|             echo "127.0.0.1" > "$out/ip_v4"
 | |
|             pwgen 50 1 > "$out/token"
 | |
|           '';
 | |
|         };
 | |
| 
 | |
|         networking.firewall = {
 | |
|           allowedTCPPorts = [
 | |
|             6443 # k3s: required so that pods can reach the API server (running on port 6443 by default)
 | |
|             2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration
 | |
|             2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration
 | |
|           ];
 | |
| 
 | |
|           allowedUDPPorts = [
 | |
|             8472 # k3s, flannel: required if using multi-node for inter-node networking
 | |
|           ];
 | |
|         };
 | |
| 
 | |
|         systemd.paths = {
 | |
|           charts = {
 | |
|             name = "charts";
 | |
| 
 | |
|             wantedBy = ["k3s.service"];
 | |
| 
 | |
|             pathConfig = {
 | |
|               PathModified = config.services.k3s.autoDeployCharts.crossplane.target.path
 | |
|             };
 | |
|           };
 | |
|         };
 | |
| 
 | |
|         services.k3s = {
 | |
|           enable = true;
 | |
|           role = "server";
 | |
|           tokenFile = config.clan.core.vars.generators.k3s.files.token.path;
 | |
|           clusterInit = true;
 | |
| 
 | |
|           autoDeployCharts = {
 | |
|             harbor = mkIf settings.harbor.enable {
 | |
|               name = "harbor";
 | |
|               repo = "https://helm.goharbor.io";
 | |
|               version = "1.14.0";
 | |
|               hash = "sha256-fMP7q1MIbvzPGS9My91vbQ1d3OJMjwc+o8YE/BXZaYU=";
 | |
|               values = {
 | |
|                 existingSecretAdminPassword = "harbor-admin";
 | |
|                 expose = {
 | |
|                   tls = {
 | |
|                     enabled = true;
 | |
|                     certSource = "secret";
 | |
|                     secret.secretName = "my-tls-secret";
 | |
|                   };
 | |
|                   ingress = {
 | |
|                     hosts.core = "example.com";
 | |
|                     className = "nginx";
 | |
|                   };
 | |
|                 };
 | |
|               };
 | |
|             };
 | |
| 
 | |
|             crossplane = mkIf settings.crossplane.enable {
 | |
|               name = "crossplane";
 | |
|               repo = "https://charts.crossplane.io/stable";
 | |
|               version = "2.0.2";
 | |
|               hash = "sha256-5gk/dvOJAy5O++QkrnS0oVZaanDgNmF0107qKyri3Js=";
 | |
| 
 | |
|               targetNamespace = "crossplane-system";
 | |
|               createNamespace = true;
 | |
| 
 | |
|               values = {
 | |
|                 replicas = 1;
 | |
| 
 | |
|                 deploymentStrategy = "RollingUpdate";
 | |
|               };
 | |
| 
 | |
|               extraDeploy = settings.crossplane.resources.composite;
 | |
|             };
 | |
|           };
 | |
|         };
 | |
|       };
 | |
| 
 | |
|       # exports.port = settings.port;
 | |
|       # exports.address = "https://\${config.networking.fqdn}:${toString port}";
 | |
|     };
 | |
|   };
 | |
| 
 | |
|   #==============================================================================================================
 | |
|   # Agent configuration
 | |
|   #==============================================================================================================
 | |
|   roles.agent = {
 | |
|     interface = { lib, ... }: {
 | |
|       options = {};
 | |
|     };
 | |
| 
 | |
|     perInstance = { instanceName, settings, machine, roles, ... }: {
 | |
|       nixosModule = { config, ... }:
 | |
|         let
 | |
|           inherit (builtins) head pathExists readFile;
 | |
| 
 | |
|           server = head (lib.attrNames (roles.server.machines or { not_found = {}; }));
 | |
| 
 | |
|           # Read the server's ip address
 | |
|           ipAddressPath = "${config.clan.core.settings.directory}/vars/per-machine/${server}/k3s/ip_v4/value";
 | |
|           ipAddress = if pathExists ipAddressPath then readFile ipAddressPath else null;
 | |
| 
 | |
|           # Read the server's token
 | |
|           # tokenPath = "${config.clan.core.settings.directory}/vars/per-machine/${server}/k3s/token";
 | |
|           # token = if pathExists tokenPath then readFile tokenPath else null;
 | |
|         in
 | |
|         {
 | |
|           networking.firewall = {
 | |
|             allowedTCPPorts = [
 | |
|               6443 # k3s: required so that pods can reach the API server (running on port 6443 by default)
 | |
|               2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration
 | |
|               2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration
 | |
|             ];
 | |
| 
 | |
|             allowedUDPPorts = [
 | |
|               8472 # k3s, flannel: required if using multi-node for inter-node networking
 | |
|             ];
 | |
|           };
 | |
| 
 | |
|           services = {
 | |
|             k3s = {
 | |
|               enable = true;
 | |
|               role = "agent";
 | |
|               tokenFile = "/var/lib/k3s/__TODO_FIGURE_OUT_TOKEN__"; #config.clan.core.vars.generators.k3s.files.token.path;
 | |
|               serverAddr = "https://${server}.${config.networking.domain}:6443";
 | |
|             };
 | |
|           };
 | |
|         };
 | |
|     };
 | |
|   };
 | |
| }
 |